In a typical one-factor authentication setup (1FA) you only use a password. This makes it incredibly vulnerable; if someone has your password they can login as you. Unfortunately, this is the setup up most websites use.

On his Ello account Grant describes how, for as long as he’s had his Instagram account, he’s been dealing with unsolicited password reset emails a few times a week. That’s a big red flag that someone’s trying to hack into your account. Occasionally he’d get a 2FA code for the Gmail account that was attached to his Instagram account.

One morning things were different. He woke up to a text telling him his Google Account password had been changed. Fortunately, he was able to regain access to his Gmail account but the hackers had acted quickly and deleted his Instagram account, stealing the @gb handle for themselves.

What happened to Grant is particularly worrying because it occurred despite him using 2FA.

Hubs and Weak Points

Both Mat’s and Grant’s hacks relied on hackers using weak points in other services to get into a key hub account: their Gmail account. From this, the hackers were able to do a standard password reset on any account associated with that email address. If a hacker gained access to my Gmail, they’d be able to get access to my account here at MakeUseOf, my Steam account and everything else.

Mat has written an excellent, detailed account of exactly how he was hacked. It explains how the hackers gained access using weak points in Amazon’s security to take over his account, used the information they gained from there to access his Apple account and then used that to get into his Gmail account – and his entire digital life.

Grant’s situation was different. Mat’s hack wouldn’t have worked if he’d had 2FA enabled on his Gmail account. In Grant’s case they got around it. The specifics of what happened to Grant aren’t as clear but some details can be inferred. Writing on his Ello account, Grant says:

So, as far I can tell, the attack actually started with my cell phone provider, which somehow allowed some level of access or social engineering into my Google account, which then allowed the hackers to receive a password reset email from Instagram, giving them control of the account.

The hackers enabled call-forwarding on his cell phone account. Whether this allowed the 2FA code to be sent to them or they used another method to get around it is unclear. Either way, by compromising Grant’s cell phone account they gained access to his Gmail and then his Instagram.

Third, minimise the impact of hub accounts. Hub accounts make life easy for you but also for hackers. Set up a secret email account and use that as the password reset account for your important online services. Mat had done this but the attackers were able to view the first and last letters of it; they saw m••••n@me.com. Be a bit more imaginative. You should use this email for important accounts too. Especially ones that have financial information attached like Amazon. That way, even if hackers get access to your hub accounts, they won’t gain access to important services.

Finally, avoid posting sensitive information online. Mat’s hackers found his address using a WhoIs lookup — which tells you information about who owns a site — which helped them get into his Amazon account. Grant’s cell number was likely available somewhere online also. Both their hub email addresses were publicly available which gave hackers a starting point.

I love 2FA but I can understand how this would change some people’s opinion of it. What steps are you taking to protect your self after the Mat Honan and Grant Blakeman hacks?